Why vendor security practices are causing heartburn for enterprise pros

High dependencies on external vendors with unclear security policies is a concern among IT professionals, according to a Deloitte report.

Good data in, good data out: How innovation in technology has evolved Xerox's CISO Alissa Abdullah discusses how innovation in technology and security has changed throughout her career.

For all of the effort put forth by IT professionals to ensure the integrity of data security measures in their organization, the biggest risk for data security is actually in external vendors, according to a Tuesday report from Deloitte. Of the 4,050 professionals surveyed, 70% indicated a moderate to high level of dependency on external vendors, with 47% reporting the occurrence of a risk incident involving external vendors in the last three years. A plurality of 38% cited technology as their main risk concern in the extended enterprise over the next 12 months.

No business is an island--organizations of any size necessarily rely on external vendors to conduct business, as tasks such as payment processing fall outside the core competency of most industries, such as construction, or candy manufacturing. Risk inherently accompanies reliance on external vendors.

SEE: Quality assurance checklist for outsourced projects (Tech Pro Research)

"Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization. Whenever this happens, benefits and risks are derived from those interactions with third parties," Dan Kinsella, a partner at Deloitte & Touche LLP's risk and financial advisory practice, said in a press release.

Ensuring that the vendors with which your organization works have suitably high standards and practices for handling sensitive data inside their internal IT ecosystem is critical to ensuring the integrity of your data. Deloitte suggests asking these questions of external vendors to gain insight into how they approach security:

  • Do they take a secure-by-design approach?
  • Do they use a secure system development life cycle?
  • Are their developers trained in the security aspects that you want achieved?
  • Do they conduct error testing?

In certain cases-particularly cloud computing-a full accounting of this is not precisely possible at scale. The mismatch between small businesses and cloud giants makes it more challenging to gain specific answers about their approach to security. In those cases, judging by reputation, and doing research to answer those questions for yourself is likely easier. Large cloud vendors often visibly highlight their certifications for data lifecycle handling for specific industries--particularly healthcare and public sector--which are a hard requirement to gain the business of organizations in those industries.

The Deloitte survey also highlights uncertainty outside of technological risks, with 20% of respondents citing legal, financial, and regulatory risks as their main focus over the next 12 months. Likewise, 10% cited strategic (geo-political / climate) concerns as their primary focus, as recent political uncertainty in the US has made markets uneasy, and protracted negotiations for Brexit have increased uncertainty.

The big takeaways for tech leaders:

  • Analyzing the security practices of third party vendors is necessary to prevent security lapses, though doing so in practice may be a challenge for smaller businesses.
  • 38% of professionals surveyed cited technology as their main risk concern in the extended enterprise over the next twelve months, 20% cited legal, financial, and regulatory risks, and 10% cited strategic (geo-political / climate) concerns. --Deloitte, 2019

Also see

Image: iStockphoto.com/Tinatin1